Court case W292 2248134-1 – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a person's request for data access was excessive after they filed similar complaints against 16 companies. The court supported the data authority's decision to dismiss the request, noting the burden on resources. This case shows the limits of data access rights when requests are deemed unreasonable.
What happened
A data subject's access request was dismissed as excessive after they filed similar complaints against 16 companies.
Who was affected
The individual who filed multiple data access requests against various companies.
What the authority found
The Austrian court upheld the data authority's decision to dismiss the request as excessive, citing the significant burden on resources.
Why this matters
This case illustrates that while individuals have the right to access their data, authorities may refuse requests that are unreasonable or overly burdensome. It serves as a reminder for individuals to make thoughtful and reasonable data access requests.
GDPR Articles Cited
A data subject sent an access request to 16 different controllers in multiple countries pursuant to Article 15 GDPR. Deeming the reply of these controllers not sufficient, the data subject lodged several complaints with the Austrian DPA. In the context of one of these complaints, the supervisory authority held that the request was excessive and dismissed it pursuant to Article 57(4) GDPR. The data subject appealed the decision before the Austrian federal administrative court supported by the non-profit noyb. The data subject lodged a complaint with the Austrian DPA for an alleged violation of Article 15 GDPR by one of the controllers. The DPA dismissed the claim on the basis of Article 57(4) GDPR. According to such provision, a DPA may charge a reasonable fee or refuse to act when a data subject’s request is either manifestly unfounded or excessive. Article 57(4) GDPR specifically mentions the case of repetitive claims. The federal administrative court pointed out to the fact that 16 almost identical complaints by the same data subject and in a time span of 7 months was a considerable amount of work for the supervisory authority. Another relevant point in assessing whether the claim was excessive was the fact that several controllers were based outside Austria and sometimes outside the EU. Due to the cooperation mechanisms envisaged by Articles 56 and following GDPR, the Austrian DPA would be forced to invest a large amount of resources in dealing with the data subject’s request. Concerning the controllers that were not based in the EU, the DPA was instead fully dependent on the availability to cooperate of other (when existent) supervisory authorities. The fact that in some cases only one day elapsed between the month envisaged by Article 12(3) GDPR as a deadline for the controller’s reply and the complaints was also an element suggesting that the request was excessive. In light of the above, the federal administrative court endorsed the supervisory authority
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W292 2248134-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W292 2248134-1 - Austria (2023). Retrieved from cookiefines.eu
Last updated: